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1 DETAILED ACTION 

2 This action is in response to the communication dated 7/25/2005. 

3 Election/Restrictions 

4 This application contains claims directed to the following patentably distinct species of 

5 the claimed invention: 

6 I. Claims 89-100, 148-159, and 207-218 are directed towards a server subsystem for 

7 detecting malicious content (See Fig. 5A). 

8 II. Claims 101-1 12, 160-171, and 219-230 are directed towards a client subsystem for 

9 detecting malicious content (See Fig. 5B). 

10 III. Claims 1 13-123, 172-183, and 23 1-242 are directed towards a gateway subsystem for 

1 1 detecting malicious content (See Fig. 5C). 
12 

13 Applicant's election without traverse of Invention III, which includes claims 1 13-123, 

14 172-183, and 23 1-242, in the reply filed on 7/25/2005 is acknowledged. 
15 

16 Claims 1-88, 1 13-147, 172-206, and 231-243 have been examined. 

17 Title 

1 8 The title of the invention is acceptable. 

19 Priority 

20 This application has no priority claimed. 

21 Therefore, the effective filing date for the subject matter defined in the pending claims in 

22 this application is 10/22/2001 . 
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1 Information Disclosure Statement 

2 The information disclosure statement(s) (IDS) submitted on 2/12/2002 are in compliance 

3 with the provisions of 37 CFR 1 .97. Accordingly, the examiner is considering the information 

4 disclosure statements. 

5 Drawings 

6 The drawings filed on 10/22/2001 are acceptable for examination proceedings. 

7 Specification 

8 Applicant is reminded of the proper language and format for an abstract of the disclosure. 
9 

1 0 The abstract should be in narrative form and generally limited to a single paragraph on 

1 1 a separate sheet within the range of 50 to 150 words. It is important that the abstract not exceed 

12 150 words in length since the space provided for the abstract on the computer tape used by the 

1 3 printer is limited. The form and legal phraseology often used in patent claims, such as "means" 

14 and "said, " should be avoided. The abstract should describe the disclosure sufficiently to assist 

1 5 readers in deciding whether there is a need for consulting the full patent text for details. 
16 

17 The language should be clear and concise and should not repeat information given in the 

1 8 title. It should avoid using phrases which can be implied, such as, "The disclosure concerns, " 

1 9 "The disclosure defined by this invention, " "The disclosure describes, " etc. 
20 

21 The abstract of the disclosure is objected to because: 

22 The abstract of the disclosure fails to meet the minimum length requirement of 50 words. 

23 Correction is required. See MPEP § 608.01(b). 

24 Claim Rejections - 35 USC §102 

25 The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 

26 basis for the rejections under this section made in this Office action: 

27 A person shall be entitled to a patent unless - 

28 (e) the invention was described in (1) an application for patent, published under section 

29 122(b), by another filed in the United States before the invention by the applicant for patent or 

30 (2) a patent granted on an application for patent by another filed in the United States before the. 
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1 invention by the applicant for patent, except that an international application filed under the 

2 treaty defined in section 351(a) shall have the effects for purposes of this subsection of an 

3 application filed in the United States only if the international application designated the United 

4 States and was published under Article 21(2) of such treaty in the English language, 
5 

6 Claims 1-14, 17-22, 67-80, and 83-88 are rejected under 35 U.S.C. 102(e) as being 

7 anticipated by Le Pennec et al. (US Patent Application Publication 2001/0020272) hereinafter 

8 referred to as Le Pennec. 

9 Regarding claim 1, Le Pennec disclosed a method of detecting malicious content 

10 comprising: examining at least two characteristics of a digital object (See Le Pennec Paragraph 

1 1 0192); analyzing said at least two characteristics to determine whether there exists a mismatch 



12 therebetween (See Le Pennec Paragraph 0192); and upon determination of the existence of a 

13 mismatch, classifying said digital object as a digital object possibly containing malicious content 

1 4 (See Le Pennec Paragraph 0 1 98). 



1 5 Regarding claim 67, Le Pennec disclosed a system for detecting malicious content 

16 comprising: a digital object examiner, examining at least two characteristics of a digital object 

17 (See Le Pennec Paragraph 0192); a characteristics mismatch detector, analyzing said at least 

18 two characteristics to determine whether there exists a mismatch therebetween (See Pennec 

19 Paragraph 0192); and a digital object classifier, operative upon determination of the existence 

20 of a mismatch, classifying said digital object as a digital object possibly containing malicious 

2 1 content (See Le Pennec Paragraph 0 1 98). 

22 Regarding claims 2-3, and 68-69, Le Pennec disclosed that malicious content comprises 

23 malicious code, and masqueraded content (See Le Pennec Paragraphs 0009-0017). 

24 Regarding claims 4-6, 17-22, 70-72, and 83-88, Le Pennec disclosed that at least one of 

25 said at least two characteristics is selected from a set consisting of: header information; file 
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1 content; file name extension; and file icon (See Le Pennec Paragraph 0192 wherein the 

2 signature of the file was computed which includes all of the listed characteristics of the file). 

3 Regarding claims 7-14, and 73-80, Le Pennec disclosed said digital object is selected 

4 from a set consisting of: a file; an e-mail attachment; a web page; and a storage medium (See 

5 Le Pennec Paragraph 0023). 

6 Claims 23-36, 39-40, 44, 126-139, 142-143, 147, and 172-184 are rejected under 35 

7 U.S.C. 102(e) as being anticipated by Stewart et al. (US Patent Number 6,901,5 19) hereinafter 

8 referred to as Stewart. 

9 Regarding claims 23 and 126, Stewart disclosed a method of detecting malicious content 

10 comprising: obtaining information relating to at least two characteristics of a digital object (See 

1 1 Stewart Col. 3 Line 46 - Col. 4 Line 3); analyzing said information to categorize said digital 

12 object into at least two categories (See Stewart Col. 3 Line 46 - Col. 4 Line 3); comparing said 

13 at least two categories to decide whether there exists a mismatch therebetween (See Stewart 

14 Col. 3 Line 46 - Col. 4 Line 3); upon determination of the existence of a mismatch, classifying 

15 said digital object as a digital object possibly containing malicious content (See Stewart Col. 3 

16 Line 46 - Col. 4 Line 3). 

17 Regarding claims 24-25, and 127-128, Stewart disclosed that malicious content 

18 comprises malicious code, and masqueraded content (See Stewart Col. 1 Lines 21-39). 

19 Regarding claims 26-28, 39-40, 44, 129-131, 142-143, and 147, Stewart disclosed that at 

20 least one of said at least two characteristics is selected from a set consisting of: header 

21 information; file content; file name extension; and file icon (See Stewart Col. 3 Line 46 - Col. 

22 4 Line 3 wherein the extension is header information). 
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1 Regarding claims 29-36, and 132-139, Stewart disclosed that said digital object is 

2 selected from a set consisting of: a file; an e-mail attachment; a web page; and a storage 

3 medium (See Stewart Col. 3 Lines 56-58). 

4 Regarding claims 172-184, Stewart disclosed that said digital object information obtainer 

5 comprises a digital object information obtainer gateway subsystem; said characteristic based 

6 categorizer comprises a characteristic based categorizer gateway subsystem; said categories 

7 mismatch detector comprising a mismatch detector gateway subsystem; and said digital object 

8 classifier comprising a mismatch detector gateway subsystem (See Stewart Fig. 1 Element 102 

9 and Col. 3 Lines 28-45). 

1 0 Claim Rejections - 35 USC §103 

1 1 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

12 obviousness rejections set forth in this Office action: 

13 A patent may not be obtained though the invention is not identically disclosed or 

14 described as set forth in section 102 of this title, if the differences between the subject matter 

1 5 sought to be patented and the prior art are such that the subject matter as a whole would have 

1 6 been obvious at the time the invention was made to a person having ordinary skill in the art to 

17 which said subject matter pertains. Patentability shall not be negatived by the manner in which 

1 8 the invention was made. 
19 

20 Claims 15-16, 45-66, 81-82, and 185-206 are rejected under 35 U.S.C. 103(a) as being 

2 1 unpatentable over Le Pennec. 

22 Regarding claims 45 and 185, Le Pennec disclosed examining at least two characteristics 

23 of a digital object; analyzing said at least two characteristics to determine whether there exists a 

24 mismatch therebetween; and upon determination of the existence of a mismatch, classifying 

25 said digital object as a digital object possibly containing malicious content (See the rejection of 
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1 claim 1 above), but failed to disclose that the characteristics may be selected by the creator of 

2 the digital object independently of selection of another characteristic and further failed to 

3 disclose that the object could be a web page or storage medium. 

4 It was well known in the art at the time of invention that the creator of a digital signature 

5 could select what was being signed. Furthermore, it was well known in the art that web pages 

6 and storage mediums could contain malicious content and as a result should be checked for 

7 malicious content. It therefore would have been obvious to the ordinary person skilled in the art 

8 at the time of invention to employ what was known in the art in the signature system of Le 

9 Pennec by allowing the creator of the file to sign whichever portions of the file the creator 

10 chose. This would have been obvious because the ordinary person skilled in the art would have 

1 1 been motivated to provide a more flexible environment for the creator. It further would have 

12 been obvious to the ordinary person skilled in the art at the time of invention to employ what 

13 was known in the art in the signature system of Le Pennec by applying the signature checking to 

14 web sites and storage mediums as well. This would have been obvious because the ordinary 

1 5 person would have been motivated to protect against malicious content in web pages and 

16 storage mediums as well as files and attachments. 

17 Regarding claims 46-58, 61-66, 186-198, and 201-206, see the rejections of claims 2-14, 

18 and 17-22 above. 

19 Claims 1 13-125, and 231-243 are rejected under 35 U.S.C. 103(a) as being unpatentable 

20 over Le Pennec as applied to claims 67 and 185 above, and further in view of Touboul et al. (US 

2 1 Patent Number 6, 1 54,844) hereinafter referred to as Touboul. 
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1 Le Pennec disclosed a system for detecting malicious content comprising: a digital object 

2 examiner, examining at least two characteristics of a digital object (See Le Pennec Paragraph 

3 0192); a characteristics mismatch detector, analyzing said at least two characteristics to 

4 determine whether there exists a mismatch therebetween (See Pennec Paragraph 0192); and a 



5 digital object classifier, operative upon determination of the existence of a mismatch, classifying 

6 said digital object as a digital object possibly containing malicious content (See Le Pennec 

7 Paragraph 0198), but failed to disclose the system being implemented in a gateway. 

8 Touboul teaches that in order to protect a network, protection such as determining 

9 suspicion of downloadable content should be applied in a gateway (See Touboul Col. 5 Lines 13- 

10 33). 

1 1 It would have been obvious to the ordinary person skilled in the art at the time of 

12 invention to employ the teachings of Touboul in the virus protection system of Le Pennec by 

13 applying the protection in a gateway. This would have been obvious because the ordinary person 

14 skilled in the art would have been motivated to protect the network from transmitting malicious 

1 5 content. 

16 Claims 37-38, and 140-141 are rejected under 35 U.S.C. 103(a) as being unpatentable 

17 over Stewart. 

1 8 Stewart disclosed a method of detecting malicious content comprising: obtaining 

19 information relating to at least two characteristics of a digital object (See Stewart Col. 3 Line 46 

20 - Col. 4 Line 3); analyzing said information to categorize said digital object into at least two 

21 categories (See Stewart Col. 3 Line 46 - Col. 4 Line 3); comparing said at least two categories to 

22 decide whether there exists a mismatch therebetween (See Stewart Col. 3 Line 46 - Col. 4 Line 



Application/Control Number: 10/037,109 Page 9 

Art Unit: 2131 

1 3); upon determination of the existence of a mismatch, classifying said digital object as a digital 

2 object possibly containing malicious content (See Stewart Col. 3 Line 46 - Col. 4 Line 3), but 

3 failed to disclose that the object could be a web page or storage medium. 

4 It was well known in the art that web pages and storage mediums could contain malicious 

5 content and as a result should be checked for malicious content. 

6 It would have been obvious to the ordinary person skilled in the art at the time of 

7 invention to employ what was known in the art in the virus detection system of Stewart by 

8 applying virus detection to web pages and storage mediums as well. This would have been 

9 obvious because the ordinary person would have been motivated to protect against malicious 

10 content in web pages and storage mediums as well as files and attachments. 

1 1 Claims 41-43, and 144-146 are rejected under 35 U.S.C. 103(a) as being unpatentable 

12 over Stewart as applied to claims 23, and 126 above, and further in view of Pasawicz ("The 

1 3 Importance of File Extensions"). 

14 Stewart disclosed a method of detecting malicious content comprising: obtaining 

15 information relating to at least two characteristics of a digital object (See Stewart Col. 3 Line 46 

16 - Col. 4 Line 3); analyzing said information to categorize said digital object into at least two 

17 categories (See Stewart Col. 3 Line 46 - Col. 4 Line 3); comparing said at least two categories to 

18 decide whether there exists a mismatch therebetween (See Stewart Col. 3 Line 46 - Col. 4 Line 

19 3); upon determination of the existence of a mismatch, classifying said digital object as a digital 

20 object possibly containing malicious content (See Stewart Col. 3 Line 46 - Col. 4 Line 3), but 

21 failed to disclose checking the icon of the object as well in order to determine suspiciousness of 

22 the object. 
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1 Pasawicz teaches that there are many telltale signs of malicious files including icon 

2 "faking" in which the icon does not match the file type in order to mislead a user into thinking 

3 the file is one type (i.e. an image file) when it is actually a different type (i.e. an executable file) 

4 (See Pasawicz Page 5 Col. 1). 

5 It would have been obvious to the ordinary person skilled in the art at the time of 

6 invention to employ the teachings of Pasawicz in the virus detection system of Stewart by 

7 checking the icon type in addition to the extension and content types for coincidence. This 

8 would have been obvious because the ordinary person skilled in the art would have been 

9 motivated to apply the know signs of a malicious file to the detection system in order to trap the 

1 0 most "viruses" as possible. 

1 1 Conclusion 

12 Claims 1-88, 1 13-147, 172-206, and 231-243 have been rejected. 

13 The prior art made of record and not relied upon is considered pertinent to applicant's 

14 disclosure. 

15 a. Rosenthal (US Patent Number 5,359,659) disclosed determining suspicious files 

16 based on the filename vs. file extension. 

17 b. Houser et al. (US Patent Number 5,606,609) disclosed determining suspicious 

18 files based on the icon vs. the content. 

19 c. Chen et al. (US Patent Number 5,95 1,698) disclosed determining suspicious filed 

20 based on the extension and the content. 

21 d. Bates et al. (US Patent Number 6,721,721) disclosed checking web pages for 

22 viruses. 
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e. 



Tsai (US Patent Application Publication 2003/0097409) disclosed parsing an E- 



2 



mail header and attachments for suspicious content. 



3 



Any inquiry concerning this communication or earlier communications from the 



4 examiner should be directed to Matthew T. Henning whose telephone number is (571) 272-3790. 

5 The examiner can normally be reached on M-F 8-4. 



7 supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 

8 organization where this application or proceeding is assigned is 571-273-8300. 



10 Application Information Retrieval (PAIR) system. Status information for published applications 

1 1 may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 

12 applications is available through Private PAIR only. For more information about the PAIR 

13 system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 

1 4 system, contact the Electronic Business Center (EBC) at 866-2 1 7-9 1 97 (toll-free). 
.15 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
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Information regarding the status of an application may be obtained from the Patent 
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